[2036] in WWW Security List Archive
NON-DELIVERY of: RE: Java Hole: Web Graffiti & Covert Channels
daemon@ATHENA.MIT.EDU (www-security@ns2.rutgers.edu@NTGAT)
Thu May 9 20:13:38 1996
From: "ALPHA::IN%\"www-security@ns2.rutgers.edu@NTGATE@UNISG\""@ntgate.unisg.ch
Date: Thu, 09 May 1996 23:51:45 +0100
To: www-security@ns2.rutgers.edu
X-VMS-To: ALPHA::IN%"www-security@ns2.rutgers.edu"
Errors-To: owner-www-security@ns2.rutgers.edu
Intended recpient(s): 1TELECOUNTER
Failure reason: Error delivering to HSG_IWIA/IWI/UNISG/CH MAIL\1TELEC.NSF; File is in use by another program
Chad Owen Yoshikawa wrote:
>
> --------------------------------------------------------
> Web Graffiti & High Bandwidth Covert Channels Using Java
> --------------------------------------------------------
>
> While developing a chat server using Java as a frontend, we've
> been exploiting what we think is a new Java security hole in
> Java-enabled browsers such as Netscape. The hole allows for
> opening sockets to arbitrary ports on web servers that serve
> Trojan-horse applets.
>
> We've also used a known security hole (covert channels) first mentioned
> in work by the SIP group at Princeton to create what we call
> 'Web Graffiti' - the dynamic insertion of text, graphics, applets, into
> HTML pages.
>
> Both of these attacks are three-party attacks and require Trojan-
> horse applets. For a draft of a paper that is work in progress,
> point your browser to:
>
> http://whenever.CS.Berkeley.EDU/graffiti/
>
> Chad Yoshikawa Brent Chun
> chad@cs.berkeley.edu bnc@cs.berkeley.edu
I investigated your site, and was amazed to see the extent of this
problem. For example, the idea that a user hitting any site on the
web after activating the trojan horse applet, will see whatever it
is the trojan horse wants them to see by REDIRECTING the URL
locations to the hacker server? This is very serious if true. (The
firewall doesn't allow in applets, so I couldn't test your examples.)
Also notice you mention this is present in Atlas, did you mean preview
release 2 (the latest one)? Congrats on finding this bug.
Gene
--
``Imagine if every Thursday your shoes exploded if you tied them
the usual way. This happens to us all the time with computers,
and nobody thinks of complaining.'' -Jeff Raskin
______ gene@cup.hp.com
/\__ _\ ingram@pubs.holosys.com
\/_/\ \/ ___ __ _ __ __ ___ ___
\ \ \ /' _ `\ /'_ `\/\`'__\/'__`\ /' __` __`\
\_\ \__/\ \/\ \/\ \L\ \ \ \//\ \L\.\_/\ \/\ \/\ \
/\_____\ \_\ \_\ \____ \ \_\\ \__/.\_\ \_\ \_\ \_\
\/_____/\/_/\/_/\/___L\ \/_/ \/__/\/_/\/_/\/_/\/_/
/\____/
________________________\_/__/____________________________________
PGP UserID: "Gene Ingram <gene@cup.hp.com>"
Key Size: 1024 bits; Creation date: 21 March 1996; KeyID: 9FEBA191
Key fingerprint: 93 E1 15 E6 35 BC B2 84 B2 7B 39 76 29 72 32 72
--3D signature created courtesy of ``Figlet Ascii Font Converter''
<http://mediacube.datacom.de/cgi-bin/moniteurs/figlet>
Return-path: <owner-www-security@ns2.rutgers.edu>
Received: from sgcl1.unisg.ch by sgcl1.unisg.ch (PMDF V5.0-5 #15592)
id <01I4IQPTV1AA00HIL6@sgcl1.unisg.ch> for 1telecounter@NTGATE; Thu,
09 May 1996 23:51:30 +0100
Received: from swisg9.unisg.ch (swisg9.unisg.ch)
by sgcl1.unisg.ch (PMDF V5.0-5 #15592) id <01I4IQPS4LZ400IA8O@sgcl1.unisg.ch>
for 1TELECOUNTER@sgcl1.unisg.ch; Thu, 09 May 1996 23:51:29 +0100
Received: from ns2.rutgers.edu by swisg9.unisg.ch with SMTP (PP); Thu,
09 May 1996 23:51:18 +0200
Received: (from daemon@localhost)
by ns2.rutgers.edu (8.6.12+bestmx+oldruq+newsunq/8.6.12)
id OAA07944 for www-security-outgoing; Thu, 09 May 1996 14:36:20 -0400
Received: from paloalto.access.hp.com
(daemon@paloalto.access.hp.com [15.254.56.2])
by ns2.rutgers.edu (8.6.12+bestmx+oldruq+newsunq/8.6.12)
with ESMTP id OAA07936 for <www-security@ns2.rutgers.edu>; Thu,
09 May 1996 14:36:17 -0400
Received: from hpfsvr01.cup.hp.com (allan.cup.hp.com) by paloalto.access.hp.com
with ESMTP (1.37.109.16/15.5+ECS 3.3) id AA271816729; Thu,
09 May 1996 11:32:10 -0700
Received: from allan by hpfsvr01.cup.hp.com with SMTP
(1.37.109.15/15.5+IOS 3.20+cup+OMrelay) id AA086827029; Thu,
09 May 1996 11:37:09 -0700
Date: Thu, 09 May 1996 11:37:08 -0700
From: Gene Ingram <gene@hpfsvr01.cup.hp.com>
Subject: Re: Java Hole: Web Graffiti & Covert Channels
Sender: owner-www-security@ns2.Rutgers.EDU
Resent-to: 1telecounter@ntgate.unisg.ch
To: www-security@ns2.rutgers.edu
Errors-to: owner-www-security@ns2.Rutgers.EDU
Reply-to: www-security@ns2.rutgers.edu
Resent-message-id: <01I4IQPTVAXG00HIL6@sgcl1.unisg.ch>
Message-id: <31923B54.4AC2@cup.hp.com>
Organization: Hewlett-Packard Co.
X-VMS-To: IN%"www-security@ns2.rutgers.edu"
MIME-version: 1.0
X-Mailer: Mozilla 3.0b3 (X11; I; HP-UX A.09.05 9000/720)
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7bit
Precedence: bulk
References: <199605090210.TAA00650@whenever.CS.Berkeley.EDU>
